Dec 21, 2009

Ghostnet and the Unclassified Crisis -- Chapter 6.7

This
is
another
excerpt from the book I'm writing on technology, terrorism, and
my
time at DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
fact.check.baker@gmail.com. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.

--Stewart Baker

The
Office of His Holiness the Dalai Lama is partly a religious, partly a diplomatic
mission. The Dalai Lama travels widely and seeks audiences with foreign
diplomats and officials to demonstrate support for his faith and for Tibetan
independence. The Chinese government in turn vehemently opposes an independent
Tibet and does all it can to discourage official meetings with the Dalai Lama.

The
Dalai Lama’s travel schedule is thus a matter of high state interest, and the
planning of his meetings has an element of cat and mouse about it. The Dalai
Lama’s office finds that the best way to set up those meetings is first to send
an email to the officials the Dalai Lama hopes to meet and then follow up
quickly with a telephone call.

But
around the early part of 2008, something odd began to happen. The Dalai Lama’s
office would send an email to a diplomat as usual proposing a meeting. Then it
would call to discuss the details, again as usual. But the diplomat’s office
would be strangely cool. “We’ve already heard from the Chinese government,” the
diplomat’s staff would say, “and they’ve strongly discouraged us from having
this meeting.”

***

The
Dalai Lama and his office had been using the Internet since the 1990s.His network administrators know the risks,
and they'd been careful about computer security for years. They’d implemented
the standard defenses against network attacks. They didn’t know what had
happened. But the evidence of a serious breach was simply too strong.

They
called in a team of Western computer security experts. What the experts found
was deeply troubling, and not just for the Dalai Lama.

Some
of the Dalai Lama’s staff participates in Internet forums. They chat with
other, like-minded individuals about the Dalai Lama’s goals and activities.
Sometimes one of their online acquaintances sends them Word or .pdf documents
relevant to those activities.

The
experts concluded that hackers had monitored these forums and then forged an
email from a forum participant to a member of the Dalai Lama’s staff attaching
a document of mutual interest. When the staff member opened the document, he
also activated a piece of malware packed with it. While the staff member was
reading the document, the malware installed itself in the background.

The
malware was cleverly designed; two-thirds of commercial antivirus software
programs would have missed it. (Hackers often subscribe to antivirus software
so they can test their malware against it at leisure.)Even if one attachment was stopped, it would
be a simple matter to retransmit the message using a different bit of malware;
the attackers could keep trying until something got through.

Once
installed, the malware would “phone home,” uploading information about the
victim’s computer and files to a control server operated by the hackers. Next,
the captured computer would download more malware to install on the staff
member’s machine. This was often a complete administrative program that would
allow the attackers to control the staffer’s computer, and in some cases the
entire network.

The
administrative malware took full advantage of the empowerment made possible by
today’s technology. It featured a graphic interface with dropdown menus
offering even an unsophisticated attacker a wide variety of options.

Want
to record every keystroke as the user types so you can steal all his
passwords?Check one of the options on
the menu.

Want
to turn on the user’s microphone, turning it into a bug so you can listen to
the office conversations?Check another
box.

Want
video straight from the user's desktop camera?That's just another option on the menu.

In the end, the Dalai Lama's office was living a version of
Orwell's 1984.Telescreens in each room
spied on the occupants.But in this
version of 1984, Big Brother didn’t even have to pay for this spy equipment. It
had been purchased and installed by the victims.

Once
the hackers had compromised a single computer on the network, it wasn’t hard to
compromise more. Every time an infected computer sent a document by email,
malware could be attached to the file. The recipient couldn’t possibly be
suspicious; the email and attachment were exactly what he expected to receive
from his colleague. He opened the document. The malware installed itself in the
background. The cycle began again.It
was an entire network of surveillance, dubbed Ghostnet by the security team.

Ghostnet
has lessons for all of us.You may be
sure you wouldn’t fall for the Spanish lottery, and perhaps not even for a
Facebook call for help, but it’s hard to find any comfort in this story.

Do
you rely on standard commercial antivirus software to scan attachments?Do you open documents sent by people you’ve
met on line?How about documents from
prospective customers or clients?Or old
friends you recently connected with on line?Do you open mail and documents sent to you by coworkers?

Of
course you do. So do I. And that means that most of us are no more able to
defend ourselves from this attack than the Dalai Lama was.

If
there were any doubt about the scope of such attacks, they were eliminated by
whatthe security team did next.

They
took another look at the IP address of the hacker’s control server, and asked a
simple question.

“Do
you think hackers who need a graphic interface to steal secrets are really good
at locking down their own computers?” I imagine the Canadian team sharing a
mischievous smile as they asked.

Perhaps
a veil should be drawn over exactly what they did next. Hacking is illegal in
most jurisdictions, even if you're hacking someone who has just hacked
you.Using methods they decline to
specify, the security team was able to verify that whoever attacked the Dalai
Lama’s network was indeed much better at breaking into other people’s computers
than at keeping intruders out of their own.

Finding
themselves inside the hackers’ control servers, the security team naturally had
a look around. They watched as reports came in from the Dalai Lama’s computers.
But that’s not all. Reports were coming in from other computers as well.
Hundreds of them.

The
hackers who compromised the Dalai Lama’s network were collecting data from
nearly 1300 other computers. Who else had been targeted by the attackers?That wasn’t hard to find out. All the
security team had to do was to ask who owned the IP addresses of the
compromised computers.

What
they found was a Who’s Who of Asian organizations that ought to be highly
concerned about -- and pretty good at -- computer security. Indian embassies in
the United States, Germany, and the United Kingdom. The foreign ministries of
Iran, Indonesia, and the Philippines. The Prime Minister’s office in Laos. All
were in thrall to the attackers’ servers. Computers in sensitive businesses,
from the Asia Development Bank to Vietnam’s petroleum company, were also
sending the attackers their data.

And,
even though this set of attacks does not seem to have been aimed at the United
States, Ghostnet was collecting reports from computers that belonged to
Associated Press and the auditing firm of Deloitte & Touche.Oh, and NATO too.

No
one was safe.

The
security team split on the question whether to assign responsibility for
Ghostnet to China. Some said it must be the Chinese government. Others were
willing to let the facts speak for themselves. The Chinese government denies
everything.

But
there’s not much comfort for us in the denials. The attacks happened, and they worked.
If a government wasn’t responsible, then this kind of capability is already in
the hands of organized crime. Indeed, with its script-spy graphic interface and
unsecured control servers, the whole episode underlines a troubling fact.
Thanks to exponential empowerment, today’s hackers don’t even have to be very
good.Empowered by democratizing
technology, they can still beat our best defenses.

In
fact, something similar to Ghostnet is already being used by organized
crime.Most businesses depend on bank
clearinghouse accounts or electronic fund transfers to pay their bills.They log on to bank sites using passwords;
for larger amounts they may also be asked a set of “challenge questions”
seeking information only the businesses know.But corporate officials also open email attachments from business
contacts, and once attackers have access to the officials' keystrokes, neither
the password nor the challenge questions offer any security.Hackers have stolen more than $100 million
from US businesses using this technique, the FBI reported in October 2009.

I
wasn’t in government in 1998 or 2003, when the Clinton and Bush administrations
called for new computer security measures. I didn’t get the classified
briefings that galvanized both presidents. Now I figure I don’t have to.